Sunday, November 23, 2008

TiVo MRV — Use a Second Wrapper?

Recently, in TiVo Multi-Room Viewing (Yet Again) and earlier TiVo Multi-Room Viewing entries to this blog I indicated my disappointment that my second TiVo DVR can't share recordings with my first TiVo if the recordings are copy-protected. I suggested that digital watermarking might be used on TiVo video recordings to enable tracking of the account from which a recorded program has been copied from one TiVo to another using Multi-Room Viewing (MRV).

I now have come to believe watermarking isn't the answer. I'll go into what the answer to the problem of using MRV on copy-protected material later in this entry. First, more about why watermarking isn't such a good idea.

In the following sample of a graphic image that has been given a watermark ...

... the identity of the image's creator has indelibly become part of the visible image. I suggested that something like this could be done with the video images associated with a TiVo recording when the recording is copied (a) to another TiVo using MRV, or (b) to a computer using TiVoToGo (TTG). The watermark could represent the 10-digit Media Access Key (MAK) of the recording TiVo(s) on a local home network, or else it could contain the user name on the TiVo account associated with the MAK.

After posting my last entry on the subject, I began to worry about whether a watermarking scheme to protect MRV is even feasible, so I started rummaging about in Google to see if watermarking has ever been seriously proposed for TiVo recordings.

It seems that the answer is only a highly qualified yes. In 2005, TiVo Inc. issued this press release indicating it would be using watermarking for TiVoToGo:

To discourage abuse or unlawful use of this feature, TiVo intends to employ "watermark" technologies on programs transferred to a portable device using the TiVoToGo feature that would enable tracking of the account from which a transferred program originated.

In other words, the "low-cost software [that users need to purchase] to facilitate the [TiVoToGo] transfer of content from the PC to ... portable devices" such as an iPod supposedly will watermark the transferred and reformatted content. For example on a Mac, Roxio's Toast Titanium software transfers a TiVo recording from the TiVo to the Mac, optionally decrypts it — since it is received in encrypted form — plays it on the Mac, makes a standard DVD of it, and/or converts it to a format compatible with an iPod.

I have made iPod-compatible copies of TiVo recordings in this way. I can't confirm that they're actually watermarked. They're certainly not visibly watermarked ... but watermarking can also be done invisibly.

Even if watermarking of TiVoToGo conversions is being done invisibly, it seemingly is not really what I'm looking for. The problem I've been fretting about with watermarking MRV transfers, as opposed to TTG conversions, is that in the latter the MPEG-2 video in the TiVo recording has to be decoded and then re-encoded in MPEG-4/h.264 format for (say) an iPod. The watermarking can be done rather easily between the decoding step and the re-encoding step.

But with MRV there is no decode/re-encode process. (Nor is there in TTG, prior to the actual format conversion which is the optional final step.) Instead, the intact MPEG-2 program stream as recorded on the TiVo, complete with the "wrapper" that the recording TiVo has added to the stream in order to encrypt it and keep it from being used in the absence of a TiVo-authorized decryption algorithm, is copied to the receiving TiVo as is. There is no convenient opportunity to watermark the video, visibly or invisibly.

So, if watermarking is out, what is in?

Watermarking is out, I repeat, due to the need to burrow down to an inner level of the information in the MPEG-2 program stream — the digitally encoded video information itself — decode it, add a watermark to it, and re-encode it. Such a process is difficult and time-consuming, and decoding and re-encoding lossy MPEG-2 video compression sacrifices quality.

If the burrowing-watermarking approach is a non-starter, then perhaps the right way to approach the MRV problem would be to add something to the very outer level of the MPEG stream.

Keep in mind that a TiVo already encases each MPEG-2 program stream that it records in a "wrapper" which in effect encrypts the stream. Unless the playback software or hardware knows the Media Access Key (MAK) of the recording TiVo and knows precisely how that MAK can be used to decrypt the stream, thereby removing the wrapper, playback is impossible.

Still, for better or for worse, that particular TiVo encryption/decryption algorithm has been hacked. Software known as tivodecode is available which can decrypt a .TiVo file that TiVoToGo has transferred to a computer from a TiVo DVR. This software is independent of the official software used with TiVoToGo, such that an average computer user can learn to decode any .TiVo file he has by providing the recording MAK as a parameter to tivodecode. Once the .TiVo file is decrypted, it can be used in any number of ways — including reformatting it to MPEG-4/h.264 for an iPod, with no watermarking whatever!

That means that authorized MRV copying of copy-protected programs needs an extra, better, layer of protection.

I envision it working something like this: when TiVo B wants to receive an MRV copy of a copy-protected program that has been recorded on TiVo A, B uses a secure network connection to send A an encryption key. This key is one which B has made up at random; it is not the MAK which is shared by the two TiVos.

The ad hoc encryption key would be generated by B, the requesting TiVo, at the time the MRV request is initiated. In fact, it could be (based on) a number representing the precise time and date, down to the millisecond or nanosecond, that the MRV request occurs.

The ad hoc encryption key would be transmitted by the receiving TiVo B to the sending TiVo A using something like a "secure socket layer," a type of safeguard against digital eavesdropping that is familiar to all those sending credit card numbers across the Internet.

Once it received the ad hoc encryption key from TiVo B, TiVo A would use it to add a second "wrapper" around the requested program stream, in addition to the wrapper already being used that depends on the MAK. This second wrapper would represent an additional layer of encryption. Only TiVo B, the receiving TiVo which has requested the MRV copy and which has provided the ad hoc key, could remove the second wrapper and play the copy in the customary way.

This strategy of using a second wrapper would apply only to Multi-Room Viewing, not to TiVoToGo. TTG would still not be able to transfer copy-protected programs. Only MRV would be able to do that.

The general idea here would be that the only real threat to digital rights management posed by TiVo MRV has to do with eavesdropping. If two TiVos, using nothing but approved methods, send copies of copy-protected programs between themselves on a home network in a way that is completely secure from eavesdropping, there is presumably no possibility of illicit activity.

An assumption here is accordingly that the elaborate new authentication protocol that, I am suggesting, ought to be used for MRV would make the process unhackable — that is, the MRV "handshake" between two authorized TiVos (including, but not limited to, the secure transmission of the ad hoc key) could never be faked by a computer hacker programming his computer to pretend to be "TiVo B," the requesting TiVo. Hence, the only way the hacker could get access to the copy-protected MPEG stream being transmitted on the network would be by "listening in" to its MRV transmission, while it is in progress. But that would only get him an encrypted program stream that he lacks the ad hoc key to decrypt.

No comments: